Enterprise IT infrastructures now face such an explosion of applications, devices, and data that just running in place is hard enough. Nobody seems to have the time or resources to design new systems that actually improve operations. Nonetheless, there's one step you can take to make life easier and your infrastructure stronger as you deal with rampant growth: introduce logical separation wherever you can.
It doesn't really matter whether you're talking about segregating compute bandwidth, storage capacity, networking gear, or different types of data; the reasoning is the same. Maintaining solid performance, tight security, high efficiency, and easy manageability all require thoughtful partitioning of different types of services and data -- partitioning that's often extremely difficult or even impossible to do after the fact.
The process will vary greatly depending upon which technology you're working with. But one common thread should run through every level of your infrastructure: Keep it separated.
Segregating the network
As you read this, chances are you're sitting behind a combination of network security hardware: firewalls, IDS/IPS, content filters, and the like. If your organization operates Internet-accessible services such as Web and email servers, those systems probably also include one or more DMZs that isolate those vulnerable services from the fleshy underbelly of the internal corporate network. Almost any IT pro is familiar with this kind of security-oriented network segregation -- and anyone who operates without it does so at his or her peril.
But that's not where the network security story ends. Even in the smallest corporate networks, real benefits can be derived from heavily partitioning the internal network, at a minimum involving the use of VLANs and L3 routing if not full-blown internal firewalling. In years past, this kind of network segregation was generally used to increase performance by controlling broadcast traffic in very large networks. Today, with much larger and more diverse populations of network-attached devices -- from employee smartphones to facility HVACR systems -- it is increasingly important to treat the once-trusted internal network as an imminent threat that needs to be protected from itself.
The trouble is that very few enterprises opt to implement these kinds of internal security measures, despite the fact we live in a world where incredibly virulent, purpose-built worms seek and destroy industrial control systems. Yes, these kinds of threats are still fairly unusual, but you can bet they won't be for very long.
Even if your company doesn't have a shop floor full of nuclear centrifuges, you might have a network-attached HVAC or fire alarm system. You're also fairly likely to have some networked UPSes, a VoIP phone system, or an IP-based storage infrastructure -- and you almost definitely have more than your share of network printers. A ton of network devices that almost everyone has -- and few think of as security risks -- never seem to be protected to the same degree of, say, desktop computers. Don't let these systems fly under the radar. Segregate them onto their own network segments, where access is limited solely to the systems that need to access them.